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HIGH MIXTURE RATIO IN OXIDIZER PREBURNER EVENT TREE 1A REV. 







































HIGH MIXTURE RATIO IN FUEL PREBURNER EVENT TREE 2A REV. 




















LOSS OF FUEL TO BOTH PREBURNERS EVENT TREE 2B REV. 

















HIGH MIXTURE RATIO IN OXIDIZER PREBURNER EVENT TREE 3 REV. 


















HIGH MIXTURE RATIO IN FUEL PREBURNER EVENT TREE 4 REV. 



















LOSS OF FUEL TO BOTH PREBURNERS EVENT TREE 5 REV. 





























































COOLANT LINER OVERPRESSURE EVENT TREE 7 REV. 






































































FAILURES DURING POGO ACCUMULATOR PRECHARGE EVENT TREE 10 REV. 

















DUAL SSME PREMATURE SHUTDOWNEVENT TREE 1 1 REV. 

















FAILURE TO PERFORM NOMINAL MECO & PROPELLANT DUMP EVENT TREE 12 REV. 
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FAILURE TO SENSE Pc 
PRESSURE DROP 
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FAILURE TO INCREASE 
OXIDIZER FLOW TO FPB 
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FAILURE OF THE OPOV 
HYDRAULIC ACTUATOR 
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FAILURE OF PMS TO 
DUMP PROPELLANTS 
AFTER MECO 
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FAILURE OF THE PMS 
SYSTEM (ENGINE 2) 
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DUAL SSME PREMATURE 
SHUTDOWN INITIATOR 
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INITIATING EVENT 
FAILURE TO MAINTAIN 
STRUCTURAL INTEGRITY 
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SUDDEN MECHANICAL 
DISASSEMBLY OF 
ROTATING MACHINERY 
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STRUCTURAL FAILURE 
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FUEL TURBINE TEMPERATURE REDLINE 
SENSOR RELIABILITY ASSESSMENT 


SENSOR FAILURE DATA - FUEL SIDE ONLY 


PART NUMBER 
TOTAL SECONDS 
FAILURES 


7004-91 7013 

264 , 000 158,000 

3 2 


TOTAL 

422,000 

5 


BOTH PART NUMBERS EXHIBIT THE SAME FAILURE RATE 


MISSION RELIABILITY VALUES - SINGLE SENSOR ( 50%CONFIDENCE) 


FAILURE (HIGH OR LOW) 

FAIL HIGH - DISQUALIFY 
FAIL HIGH - VOTE FOR CUTOFF 
FAIL LOW - DISQUALIFY 


0.993104 

0.9943159 

0.9967419 

0.9979538 


HISTORICAL SSME RELIABILITY DATA 


SINGLE ENGINE - 104% MISSION 
EXCEED FUEL TURBINE REDLINE 


0.9924918 

0.9984938 


ERRONEOUS SHUTDOWN PROBABILITY 


FIRST FAILURE HIGH OR LOW ( 1 OF 2 ) 
SECOND FAILURE HIGH AND VOTE 
COMBINED 

THREE ENGINE PROBABILITY 
MTBF 


0.0137444 

0.0032581 

4.478E-05 

0.0001343 

7,440 


LOSS OF PROTECTION PROBABILITY 


FIRST FAILURE HIGH OR LOW ( 1 OF 2 ) 
SECOND FAILURE - NO VOTE 
COMBINED 

THREE ENGINE PROBABILITY 
MTBF 


0.0137444 
0.0056841 
7 . 812E-05 
0.0002344 
4,270 


REDLINE EXCEEDED PROBABILITY 


SINGLE ENGINE 
THREE ENGINE PROBABILITY 
MTBF 


0.0015062 

0.0045117 

220 


REDLINE PROVIDES NEEDED PROTECTION 


SAFE SHUT DOWN FOR 20 PERCENT OF HISTORICAL FAILURES 
EXPECTED NEED 1 IN 220 FLIGHTS 

EXPECTED ERRONEOUS 1 IN 7,440 FLIGHTS 

_ RATIO 34 TO 1 

SENSOR CATASTROPHIC POTENTIAL 


LOSS OF REDLINE 
ENGINE EXCEEDS REDLINE 
COMBINED 

THREE ENGINE PROBABILITY 
MTBF 


7 . 812E-05 
0.0015062 
1 . 177E-07 
3.53E-07 
2,832,780 


ERRONEOUS SHUTDOWN (3 ENGINES) 
SECOND ENGINE SHUTDOWN 
COMBINED 

MTBF 

UNABLE TO ASSESS ORBITER ABORT RISK 


0.0001343 
0.0075082 
1 . 009E-06 
991,450 






CUTOFF CODES 


COOE TTO - ! DESCRIPTION 

CADS 1 COMMAND AND DATA SIMULATOR COMMAND (SIMULATES ORBITER COMPUTER) 

CADS ELU 2 CADS ■ ELECTRONIC LOCKUP 

CADS FTP 3 CADS • HPFTP TURBINE DISCHARGE TEMPERATURE REDLINE LOST 

CONT 4 ENGINE CONTROLLER INITIATED 

CONT FD 5 CONTROLLER • FUEL DENSITY (OBSOLETE) 

CONTIEA 6 CONTROLLER- INPUT ELECTRONICS CHANNEL A 

ENG ROY 7 LOSS OF ENGINE READY 

F SPO 1C 8 HPFTP SPEED IGNITION CONFIRM 

FTDT 9 HPFTP TURBINE DISCHARGE TEMPERATURE 

FTPTE 10 HPFTP TURBINE DISCHARGE TEMPERATURE- ERRONEOUS 

FTIT 11 HPFTP TURBINE INLET TEMPERATURE (OBSOLETE) 

FAC 1 2 FACILITY INITIATED CUTOFF (NOT AN ENGINE PROBLEM) 

FAC E 13 FACILITY INITIATED CUTOFF - ERRONEOUS 

H2QPR 14 FACILITY WATER PRESSURE 

HEX DP IS HEAT EXCHANGER DELTA PRESSURE (OBSOLETE) 

HEX PR 16 HEAT EXCHANGER PRESSURE (OBSOLETE) 

HEX PR S~ 17 HEAT EXCHANGER PRESSURE • ERRONEOUS 

HF ACC 18 HPFTP ACCELEROMETERS 

HF ACC A 19 HPFTP ACCELEROMETERS • AXIAL (OBSOLETE) 

HF ACC E 20 HPFTP ACCELEROMETERS • ERRONEOUS 

HF ACC N 21 HPFTP ACCELEROMETERS - NON STANDARD MONITOR (OBSOLETE) 

HF SPO 22 HPFTP SPEED (OBSOLETE) 

HGM 23 HOT GAS MANIFOLD DELTA PRESSURE 


HO ACC 

EH 

HPOTP ACCELEROMETERS 

HO ACC A 

mm 

HPOTP ACCELEROMETERS - AXIAL (OBSOLETE) 

HO ACC C 


HPOTP ACCELEROMETERS - CROSSFEED FROM HPFTP 

HO ACC E 

mm 

HPOTP ACCELEROMETERS - ERRONEOUS 


mm 

HPOTP ACCELEROMETERS - NON STANDARD MONITOR (OBSOLETE) 

HOBRGT 

El 

HPOTP BEARING COOLANT TEMPERATURE 

HOSPD 

K3I 

HPOTP SPEED (OBSOLETE) 

HOSPDE 

mm 

HPOTP - ERRONEOUS 

INJ ACC 

o 

MAIN INJECTOR ACCELEROMETERS 

LF ACC 

El 

LPFTP ACCELEROMETERS 


O 

LPFTP ACCELEROMETERS - ERRONEOUS 

LOACCE 

e m 

LPOTP ACCELEROMETERS - ERRONEOUS 


El 

HPOTP LOX DISCHARGE TEMP RISE - ERRONEOUS (OBSOLETE) 


O 

LPFTP TURBINE INLET PRESSURE (OBSOLETE) 


El 

MCC LINER CAVITY PRESSURE 

MCC ACCE 

mm 

MAIN COMBUSTION CHAMBER ACCELEROMETERS - ERRONEOUS 

MCCPC 

mm 

MAIN CHAMBER PRESSURE 

MCF ACT 

KOI 

MAJOR COMPONENT FAIL REPORT - ACTUATOR 

MCFCL 

mm 

MCF - COMMAND LIMIT 

MCFDCU 

mm 

MCF - DIGITAL COMPUTER UNIT 


mm 

MCF - FUEL DENSITY 

MCFFTD 

mm 

MCF - HPFTP TURBINE DISCHARGE TEMPERATURE 

MCF F/M 

o 

MCF • FUEL FLOWMETER 

MCFOTD 

mm 

MCF - HPOTP TURBINE DISCHARGE TEMPERATURE 

MCF PC 

o 

MCF - MAIN CHAMBER PRESSURE 

MOV ACC 

o 

MAIN OXIDIZER VALVE ACCELEROMETER (OBSOLETE) 

O DR DP 

EM 

HPOTP PRIMARY OXIDIZER SEAL DRAIN DELTA PRESSURE (OBSOLETE) 

O DR P 

mm 

HPOTP PRIMARY OXIDIZER SEAL DRAIN PRESSURE (OBSOLETE) 

ODRPE 

mm 

HPOTP PRIMARY OXIDIZER SEAL DRAIN PRESSURE - ERRONEOUS 

O DR T 

EM 

HPOTP PRIMARY OXIDIZER SEAL DRAIN TEMPERATURE (OBSOLETE) 


in 

HPOTP INTERMEDIATE SEAL PURGE PRESSURE 

OISCDP 

55 

HPOTP INTERMEDIATE SEAL CAVITY DELTA PRESSURE (OBSOLETE) 

OISCP 

56 

HPOTP INTERMEDIATE SEAL CAVITY PRESSURE (OBSOLETE) 


mm 

HPOTP INTERMEDIATE SEAL CAVITY PRESSURE ERRONEOUS 


o 

HPOTP TURBINE DISCHARGE TEMPERATURE 

OTDTE 

Em 

HPOTP TURBINE DISCHARGE TEMPERATURE - ERRONEOUS 

OTIT 


HPOTP TURBINE INLET TEMPERATURE (OBSOLETE) 

OTITE 

mm 

HPOTP TURBINE INLET TEMPERATURE - ERRONEOUS (OBSOLETE) 

OBS 


MANUAL CUTOFF BY OBSERVER 


W;<m 

ERRONEOUS OBSERVER CUTOFF 

OBS FIRE 

mm 

OBSERVER CUTOFF - FIRE 


E9 

PREBURNER PURGE IGNITION CONFIRM 

PBPRG 

W:’M 

PREBURNER PURGE FAILED ON 


mm 

PREBURNER PUMP DISCHARGE PRESSURE (OBSOLETE) 

PC 1C H 


CHAMBER PRESSURE IGNITION CONFIRM - HIGH 

PC 1C L 

il 

CHAMBER PRESSURE IGNITION CONFIRM - LOW 

PC MS 

Kdi 

'CHAMBER PRESSURE MAINSTAGE 

phTT 

mm 

POWERHEAD AREA ENVIRONMENT TEMPERATURE 

P1F 

mm 

LOW FUEL INLET PRESSURE (FACILITY) 

PIO 

mm 

LOW OXIDIZER INLET PRESSURE (FACILITY) 

SATS 

mam 

SHUTTLE AVIONICS TEST SET (CLUSTER GROUND TEST ORBITER COMPUTER SIMULATI 

THBNG 

mm 

HPFTP THRUST BEARING SPEED (OBSOLETE) 

THBNGE 

mm 

HPFTP THRUST BEARING SPEED - SENSOR MALFUNCTION (OBSOLETE) 

VEH 

mm 

VEHICLE (ORBITER) COMMAND 
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ISRB Hypothesis Descriptions 


Hypothesis- 1 


Hypothesis-2 


Hypothesis-3 


Hypothesis-4 


Hypothesis-5 


Hypothesis-6 


The analyst made an educated estimate of the anticipated frequency of the 
event in question. This was deemed necessary when there was insufficient 
data to support a statistical analysis. The estimation was made after 
conferring with experts on reliability of the sub-component based on their 
respective experience. 

Insufficient data to support a statistical analysis was available for the 
NASA Standard Initiators (NSIs) and NASA Standard Detonators (NSDs) 
however the components were found to be similar in both design and 
function as the Confined Detonating Fuses (CDFs). However due to 
additional elements in the NSI and NSD assemblies they were assumed to 
be 2-3 times more prone to fail than the CDF. 

The data available for the Pyrotechnic Initiator Controllers (PICs) indicates 
that they are extremely reliable components however the fact that no actual 
failures have occurred makes the estimation of their failure rate difficult. 

As a conservative assumption, their failure rate was assumed to be on the 
same order of magnitude as the CDFs. 

The ISRB use pyrogenic igniters for which a limited amount of failure data 
exists. For this reason the analyst made a conservative assumption based 
on the data available and conversations with USBI personnel. 

This estimate concerned the possibility of an explosive device detonating 
without any external influences; an extremely rare event. A conservative 
estimate was made which considered such an event to be 10 times less 
likely than an explosive device (CDF) failing to detonate on command. 

The Booster Separation Motors (BSMs) have a limited amount of failure 
related data however it was agreed (USBI & MSFC) that the failure modes 
were approximately an order of magnitude (10 times) more likely than an 
explosive device (CDF) failing to detonate. 



RSRM JOINTS: 
GAS LEAK 















IGNITER TO CASE 
OUTER J-LEG FAILURE 
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RSRM HOT GAS LEAK 
AT CASE JOINT 
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LEFT AFT FIELD JOINT 
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HOT GAS LEAK AT 
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PRIMARY O-RING 
FAILURE PATH 
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PRIMARY ORING 
FAILURE PATH 
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THROAT INLET 
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HOT GAS LEAK AT 
THROAT EXIT 
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RING 
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FAILURE 
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IGNITER JOINT ROTOR 
FAILURE 
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FAILURE 
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SRM WRONG THRUST 
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BOLT 4 
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BOLT 7 
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NO OR LATE IGNITION 
OF 1 SRB/RSRM 




















NO LEFT IGNITER NSI 
DETONATION 
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NO RIGHT IGNITER 
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SRB NO, LATE, OR 
IMPROPER SEPARATION 
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L AFT SEPARATION 
BOLT 1 FAILS TO 
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L AFT SEP BOLT 1 
PIC A FAILS 
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LSEPF2A Outputs: 

Page 122, Page 107, Page 89, Page 98, Page 101, Page 104 
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L AFT SEP BOLT 
PIC B FAILS 





















LSEPF1B Outputs: 



ISRB Initiating Events PRA ISRB FAULT TREES REV. 2 | Page 95 












L AFT SEPARATION 
BOLT 2 FAILS TO 
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L AFT SEP BOLT 2 
PIC A FAILS 
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L AFT SEP BOLT 2 
PIC B FAILS 
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L AFT SEP BOLT 3 
PIC A FAILS 
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L AFT SEP BOLT 3 
PIC B FAILS 
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L FWD SEPARATION 
BOLT FAILS TO 
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L FWD SEP BOLT PIC 
A FAILS 
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L FWD SEP BOLT PIC 
B FAILS 
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L FWD CDF MANIFOLD 
FAILURE 
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L FWD BSM PIC A 
FAILS 
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L FWD BSM PIC B 
FAILS 
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L BSM 4 FAILS TO 
IGNITE 
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L BSM 7 FAILS TO 
IGNITE 
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L BSM 8 FAILS TO 
IGNITE 
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L AFT CDF MANIFOLD 
FAILURE 
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CMDNOTRCVD Outputs: 

Page 123, Page 141, Page 142, Page 144, Page 146, Page 147 












GPC FAILURE 
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CUE NOT RECEIVEO 
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L AFT BSM PIC B 
FAILS 
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R SRB FAILS TO 
SEPARATE 
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R AFT SEPARATION 
BOLT 1 NSI PCS FAIL 
TO DETONATE . 


















RSEPARMA Outputs: 

Page 183, Page 166, Page 149, Page 157, Page 160, Page 163 


















R SEP BOLT IB NSI 
PC FAILURE TO 
DETONATE 
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RSEPFlB Outputs 
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R AFT SEPARATION 
BOLT 2 NSI PCS FAIL 
TO DETONATE 



Page 152 
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R AFT SEP BOLT 2 
NSI PC B FAILS TO 
DETONATE 
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R AFT SEPARATION 
BOLT 3 FAILS TO 
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R AFT SEP BOLT 3 
PIC A FAILS 
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R AFT SEP BOLT 3 
PIC B FAILS 
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R FWD SEPARATION 
BOLT FAILS TO 



ISRB Initiating Events PRA ISRB FAULT TREES REV. 2 Page 162 















R FWD SEP BOLT PIC 
A FAILS 
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R FWD SEP BOLT PIC 
B FAILS 
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R FWD BSM NSD A 
FAILS TO DETONATE 
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R FWD BSM NSD B 
FAILS TO DETONATE 
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R BSM 4 FAILS TO 
IGNITE 
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R BSM 8 FAILS TO 
IGNITE 
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AFT MAN OR BSM 
FAILS TO DETONATE 
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R AFT BSM PC A 
FAILS 
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R AFT BSM PIC B 
FAILS 
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L SRB BSM BURN THRU 
OR RUPTURE DURING 
SEPARATION 
























R SRB BSM BURN THRU 
OR RUPTURE DURING 
SEPARATION 
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SRB RECOVERY 
DEVICE: PREMATURE 
RELEASE 
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SRB THRUST VECTOR 
CONTROL SYSTEM 
FAILURE 
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RIGHT SRB TVC 
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RIGHT SRB TVC ROCK 
ACTUATOR 

INDEPENDENT FAILURES 


































FAILURES 
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LEFT SRB THRUST 
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LEFT SRB TVC ROCK 
ACTUATOR CONTROL 
FAILURE 
























LEFT SRB TVC TILT 
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SRB Component Data 

















RSRM Joint Leak Data 


NOZZLE-TO-CASE JOINTS 


Joint Component 




Source 


Hot 

Firings 










Leak 

Checks 


Laak 

Potentiality 

Factor 


Failures 










































































































RSRM Joint Leak Data 


Joint Component 

S&A Primary Gasket 


S&A Secondary Gasket 


COMMON CAUSE 
Leak Check Port Plug 
(case/nozzle/igniter) 


OPT Primary O-Ring 
(3/igniter) 


OPT Secondary O-Ring 
(3/igniter) 


COMMON CAUSE 
Rotor Primary O-Rings 


Rotor Secondary O-Rings 


COMMON CAUSE 
Sll Primary O-Ring 


Sll Secondary O-Ring 


IGNITER INTERNAL JOINTS 

Hot 


Source 






Firings Checks 




Laak 

Potentiality 

Factor 


Failures 

























































































RSRM Joint Leak Data 


Joint Component 




IGNITER-TO-CASE JOINT 


Source 
















Leak 

Checks 


Laak 

Potentiality 

Factor 





















































































RSRM Joint Leak Data 









































































































RSRM Joint Leak Data 


NOZZLE JOINT 


Joint Component 

RTV Backfill 


Primary O-Ring 


Secondary O-Ring 


Stat-O-Seals 


Leak Check Port Plug 


Source 

Joint 1 

Joint 2 

Joint 3 

Joint 4 

Joint 5 

Totals: 

Right 

Static Tests 

Totals: 

Fli 9 ht 

Static Tests 

Totals: 

Case 

Igniter 

Nozzle 

Totals: 

Rights 1 -37,39,41 
Static Tests 
SRM01-51L (fid) 
SRM01-51L (noz) 

Totals: 


Hot 

Firings 

90 

18 

88 

88 

88 

372 

24 

14 

38 


0 

100 


100 

200 


_4 

7 _ 

11 


Leak 

Checks 


Potentiality 

Factor Failures 


390 

SO 

440 

390 

50 

440 

9000 

5040 

6776 

20816 

780 

100 


0.6 


0.9 


0.9 


J. 

1 

6 

38 


880 


0.6 


o | o 
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B.3. Orbiter Auxiliary Power 
Unit/Hydraulics 



9.0 DEVELOPMENT OF PROBABILITY DISTRIBUTIONS FOR FAULT TREES 


The development of probability distributions for the fault trees is done using Bayesian updating 
methods Prior probability distributions for failure rates are taken from the 1987 APU/HPU 
study, NPRD-95, IREP, IEEE Std 500, WASH 1400, Shuttle experience and expert judgment 
System level priors for the entire APU/HYD/WSB system (failure to start and failure to run distri- 
butions) are developed using component data mostly from the 1987 study Bayesian updating 
was done at the system level using data found in the in-flight anomaly list (IF AS), PRACA re- 
ports. and Post Flight Mission Safety Evaluation Reports 

Data obtained shows that there have been four APU shutdowns on ascent due to the water spray 
boiler failing to provide adequate cooling, and a near hydraulic system failure due to a massive hy- 
draulic leak during descent 

Due to the fact that the APU/HYDAVSB systems have redundancy, i e , they are a two-out-of- 
three or better system, common cause failures become a concern. The fault trees are evaluated 
using the Multiple Greek Letter (MGL) method to determine the common cause and independent 
failure rates 

Section 9 1 describes how the MGL method is used to determine the independent failure rates and 
common cause failure rates from the generic failure rate for each sequence. 

Section 9 2 describes the prior distributions used in the study. Fault trees are included in this sec- 
tion to show how prior distributions are calculated for APU/HYD/WSB failure to start, 
APU/HYD/WSB failure to run, and APU turbine wheel runaway. 

9.1 Models/Equations for Fault Tree Basic Events 

9.1.1 List of Basic Events 

Table 9 1-1 is a complete list of the basic events found in the fault trees, and their two letter iden- 
tification code used throughout the model. 

9.1.2 Assumptions 

Several assumptions have been made concerning data input probability distributions The first is 
that given a common cause leak, all three APU units leak. The second assumption pertains to the 
detection/confirmtion of the leaks. If all three units leak, and a leak is detected in one unit, then 
the leaks in all units are assumed to be found. A third assumption concerns the restarts of APU 
units .All units will have to go through a restart process sometime during the reentry process 
Some scenarios have APU hydrazine leaks detected, in which case an APU unit is shutdown dur- 
ing the entry sequence After an APU unit is shutdown, if another unit fails, then the shutdown 
unit is restarted However, in the sequence, only one restart of the shutdown APU is considered 
There are several reasons for this simplistic modeling. First, the reentry sequence will not begin 
until an APU unit is working to perform the flight controls check. Second, leaking APLTs are 
shutdown only when a leak is detected and confirmed, and the probability of a leak being detected 
is only about one in twenty, so these scenario simplifications will not have a significant impact on 
the total risk 



Identification 

Basic Event 

CE 

Flight critical equipment damaged given LL or TU 

CF 

Common cause failure to run 

CL 

Common cause leak 

CO 

No containment given turbine overspeed 

CS 

Common cause failure to start or run 

HB 

Hub breakup given turbine overspeed 

ID 

Independent/dependent failure to run (ascent) 

IF 

Independent failure to run (ascent) 

IS 

Independent failure to start or run (descent) 

LA 

Leak detected/confirmed given all three APU units leak 

LD 

Leak detected/confirmed given that one APU unit leaks 

LF 

Own leakage induced failure (ascent) 

LK 

Leak in one APU unit 

LL 

Large exhaust gas or hydrazine leak 

LO 

Leakage from another unit induced failure (ascent) 

LS 

Leakage from other unit induced failure to start or run (descent) 

LU 

Leak undetected given that one APU unit leaks 

LZ 

Leak undetected given that all three APU units leak 

01 

APU unit okay given that one other APU unit leaks 

03 

APU unit okay given that all three APU units leak 

OK 

APU unit okay 

OL 

APU unit okay given that it leaks 

OS 

\ ■ 

Own leakage induced failure to start or run (descent) 

SI 

Structural integrity of aft compartment fails given LL or TU 

SR 

Successful restart of shutdown APU unit 

TU 

Turbine overspeed or hub failure at normal speed 

UL 

Unsuccessful single APU/HYD unit reentry, TAEM and landing 


Table 9.1-1: List of Basic Events and Descriptions 


9.1.3 Derivation of Common Cause Failure Equations 

As components fail, it is not always entirely clear which failures are truly independent and which 
are common cause In order to estimate the frequency of common cause failures from the total 
estimated frequency, several methods, such as the Multiple Greek Letter (MGL) or beta factor 


9-2 
































methods, are used In this analysis, the MGL method was used. The labeling of the APU units is 
as follows: if a single APU unit is leaking hydrazine, then that unit is labeled as unit I, or if all 
three APU units are leaking hydrazine, then the unit that is shutdown (if the leaks are 
detected/confirmed) is labeled as unit 1 

9.1.3.1 One APU Unit Leaks Hydrazine Purin2 Reentry, TAEM and Landing (LO 
State)' 1 ’ 

Sequence 4 

In this sequence, APU units 1 and 2, or 1 and 3, fail This is basically a 1 out of 3 system, de- 
noted Q(l/3) There are two ways in which independent failures of this type can occur: Q,Q, and 
Q,Q 3 . For the common cause failures, there are also two ways that those may occur Q P and 
Q l3 . Rewriting those terms in the MGL format using Q, for independent failures and Q, for com- 
mon cause failure of two components yields the following equation for system failures: 

0(\ll) = 20z+20] 

In this form of the MGL method w here we are dealing both with common cause failures for two 
systems and common cause failures for three systems. The MGL method defines two parameters 
P and y Beta is the ratio of two and three unit common cause failures of each unit to all failures 
for each unit Gamma is the ratio of three unit common cause failures to two and three unit com- 
mon cause failures. For each unit, beta is thus: 

C\ _ 2 € ) 2 <h 23 

P ” Q\+2Q : +Q) 

and gamma is: 

£3 

Omitting the algebra, the single system and common cause for two system failures can be written 
as: 

Oi =(1 -P)0 

Gi = T<i-y>Pe 

Since Q represents the failures due to start or run failures, it should be rewritten as: 

Q — cf s + Xt 


<n The LO descent initiating event state is equivalent to the ILO ascent end state. 
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where q s is the failure to start probability, and Xt is the probability of a failure during the run 
time.'" 31 If we substitute into Q( 1/3) for Q,, Q, and Q. then the equation for failures becomes: 

0(1/3) = [(1 -y* )p v </, + ( 1 - y,.)P r X/| + 2[ ( 1 - p, k/, + ( 1 - p r )X/] 2 

This is the total failure rate We now need to relate the above equation to the fault tree basic 
events The first term in the above equation is the common cause term, and does not need to be 
changed The second term in the above equation needs to represent the independent failures as 
depicted in the fault tree For example, if we examine the fault tree for the sequence 4 LOV with 
the initiating LO state (one APU unit is leaking), then by analysis at the basic event level, the prob- 
ability of the component failures in the sequence can be expressed as: 

P(\,2or 1 , 3 ) = P(\ mP(2IF)+P( 1 IF)PO IF) + P(CCF)+ P(\ IF)POLO) + 

where IF, CCF and LO where defined previously as independent failures, common cause failure, 
and own leak induced failure Since we are only concerned about independent and common cause 
failures, we will ignore the fourth and remaining terms as being inapplicable to the determination 
of the common cause failure rate and the independent failure rate If the independent failure rates 
are the same for all APU units, then the previous two expressions can be combined as 

P(CCF) = [(1 -Yi)M,+(l -y,)M./) 

2P(/^ 2 = 2[(l-p v k/, + (l-puM 2 

If we reduce the independent failure rate probability, we get: 

P(IF) = ytd-po^ + n-pu^] 2 

which reduces to: 

P(IF) = [( 1 - PJc/i + ( 1 - P, )A./| 

Sequence 6 

In this sequence, both APU units 2 and 3 have failed This is basically a 1 out of 3 system, de- 
noted Q( 1/3) There is one way in which independent failures of this type can occur: Q,Q 3 For 
the common cause failures, there is also only one way that this may occur: Q, 3 . Rewriting those 
terms in the MGL format using Q, for independent failures and Q, for common cause failure of 
two components yields the following equation for system failures. 

0(1/3) = O] +0 2 

As before, the single and common cause (for two systems) factors are defined as: 

0,=(l-p)0 
O 2 = y(l - Y)P(? 

' 2) In this analysis the p s and P r are given the same numerical value, and y s and y r are given the 
same numerical value 

' 3) For ascent sequences, A£is the probability of basic event ID (or IF) in Table 9 3 1 For descent 
sequences q s + A£is the probability of a basic event IS in Table 9.3-1. 
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Since Q represents the failures due to start or run failures, it should be rewritten as: 

O = c/ s + \( 

where q % is the failure to start probability, and Xt is the probability of a failure during the run time 
If we substitute into Q( 1/3 ) for Q,, Q, and Q, then the equation for failures becomes 

0(1/3) = }[(1 -yjP^/, + (1 -Y/)M-/1 + [(1 -P s )<7 J + d -Pr)^l 2 

As before, we can see that the first term represents the common cause failure rate, and the second 
tern represents the independent failure rate If we examine the fault tree for the sequence 6 LOV 
with the initiating LO state, then by analysis at the basic event level, the probability of the compo- 
nent failures in the sequence can be expressed as: 

P(2, 3) = P(2 IF)P( 3 IF) + P(C( 'n +P( 2 1F)P { 3 L0) + 

where IF, CCF and LO where defined previously as independent failures, common cause failure, 
and own leak induced failure Since we are only concerned about independent and common cause 
failures, we will ignore the third and remaining terms as being inapplicable to the determination of 
the common cause failure rate and the independent failure rate. If the independent failure rates 
are the same for all APU units, then the previous two expressions can be combined as: 

P(CCF) = j[( 1 - Yv)3s< 7, + ( 1 - Yr)PrX/] 

P(//0 2 =[(l-P I )^v + (l-pr)X/] 2 

If we reduce the independent failure rate probability, we get: 

P(IF) = yui-p^+O -p r )X/] 2 

which reduces to * 

P(//^ = [(l-p J )^ + (l -p r )X/| 

This is the same expressions as determined in the Sequence 4 LOV. 

Sequence 7 

In this sequence, since there is no leak detection, no distinction is made between which units fail 
and which do not. All three units fail, even though 1 out of 3 is needed for survival, so this is de- 
noted Q( 1/3). There is one way in which independent failures of this type can occur: Q,Q,Q., 
For the common cause failures, there is also only one common cause for all three, Q,, 3 . There are 
three combinations of pairs of common cause failures for two systems, i.e., Q,, and Q ; , is one 
pair, and three combinations of an independent failure and a common cause failure for two sys- 
tems, i.e., Q, and Q, ; and one pair Rewriting those terms in the MGL format using Q, for inde- 
pendent failures, Q, for common cause failures of two components and Q 3 for common cause 
failures of three components yields the following equation for system failures: 

0( 1/3) = 0 3 + 3(7 1 O 2 + 3^2 + (?i 
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Omitting the algebra, the failures can be written as 

Qi =0 -(*)(? 

(?2 = j( 1 - Y)pO 

Oi =7^0 

Substituting for Q,, Q. and Q, into Q(l/3) yields: 

£?( 1/3) = yPO + f( 1 - (5)p( I - Y )Q 2 + 70P[|( 1 " P)P( 1 - Y)C? 2 ] + ( 1 - P) 3 0 3 

If we examine the above expression, we see that there are four terms, which from left to right 
we'll call one, two, three and four The third term is negligible because 

IlillLft « i 

and is, furthermore, much less than the second term As before: 

Q = q s +\t 

where q s is the failure to start probability, and Xt is the probability of a failure during the run time 
Substitute Q into Q(l/3) with the simplifying assumption yields: 

0(1/3) = (y,p ffl r, + Y,P,X/) + f U< 1 - P,)P,( 1 -Y*)<7?] + [d - P*)P,(1 - y r )qM+ 

[( 1 - p r )p<( 1 - Yv )qM + 1 ( 1 - Pr)Pr( 1 - Yr)X 2 / 2 ] } + [( 1 - P,)^ + ( 1 - p,)X/] 3 

As before, we can see that the first term represents the common cause failure rate, and the second 
tern represents the independent failure rate. If we examine the fault tree for the sequence 7 LOV 
with the initiating LO state, then by analysis at the basic event level, the probability of the compo- 
nent failures in the sequence can be expressed as: 

P( 1 , 2 , 3 ) = P{ 1 IF)P( 2 IF)P { 3 IF) + P(CCF + P( 1 L0)P(2 IF)P [ 3 IF + 

where EF, CCF and LO where defined previously as independent failures, common cause failure, 
and own leak induced failure Since we are only concerned about independent and common cause 
failures, we will ignore the third and remaining terms as being inapplicable to the determination of 
the common cause failure rate and the independent failure rate. If the independent failure rates 
are the same for all APU units, then the previous two expressions can be combined as: 

P(CCF = Y*Pj<7j + Yrp rXt + § { [( 1 - P,)P ,( 1 - Y s)q]] + [( 1 - P,)Pr( 1 - y r )q s Xt}+ 

[(1 -p r )p f (l -Y*)?,X/] + [(l -Pr)Pr(l -Y^ 2 ' 2 ]} 

/ J (//0 = [(l-p,)^ + (l-Pr)X/) 

Sequence 11 

In this sequence, two APU units fail, and since the event is undetected, no distinction is made as 
to which two have failed System failures are thus defined as: 

0(1/3) = 30 2 + IQ] 
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As before, the failures are defined as 

0i=(l-(3)0 
o 2 = }(i-Y)pg 

Since Q represents the failures due to start and run failures, it should be rewritten as: 

Q = q s + Xt 

where q s is the failure to start probability, and Xt is the probability of a failure during the run time 
If we substitute into Q( 1/3) for Q,, Q, and Q, then the equation for failures becomes: 

0(1/3) = f[(l - YJMv + ( 1 - Y< )PrX/] + 3[( 1 - p 5 )<?5 + ( 1 - pr)X/) : 

As before, we can see that the first term represents the common cause failure rate, and the second 
tern represents the independent failure rate If we examine the fault tree for the sequence 1 1 LOV 
with the initiating LO state, then by analysis at the basic event level, the probability of the compo- 
nent failures in the sequence can be expressed as: 

P(2 fail) = P{ 1 IF)P( 2 IF) + P( 1 IHPO IF) + P(2 IF)P{ 3 IF) + P(CCF) + P( 2 IF)P( 3 10) + 

where IF, CCF and LO where defined previously as independent failures, common cause failure, 
and own leak induced failure Since we are only concerned about independent and common cause 
failures, we will ignore the fifth and remaining terms as being inapplicable to the determination of 
the common cause failure rate and the independent failure rate. If the independent failure rates 
are the same for all APU units, then the previous two expressions can be combined as: 

P(CCF) = \ [( 1 - Yi )P *q* + (1 - YOP M 

3P{IF) 2 = 3[(1 -p s )<7> + U ~Pr)X/) 2 

If we reduce the independent failure rate probability, we get: 

P(/F) = [(l-P i )^ J + {l-pr)X/l 

Sequence 12 

This sequence occurs when all three APU/HYD systems fail. The equations for independent sys- 
tem failures and common cause failures are the same as those described for ILO sequence 7. 

Sequence 16 

This sequence occurs when APU/HYD systems 1 and 2 or I and 3 fail. The equations for inde- 
pendent system failures and common cause failures are the same as those described for LO se- 
quence 4 



This sequence also models the remaining two APU units developing a common cause leak, given 
the initial leak in one unit 1 As described for OK sequence 21, the formula for common cause 
leakage is given by: 

P(CCF) = y L fr.h.t + t ( 1 - P/.)P/.( 1 -Y l )^ 1 

Here, \t is the probability of the initial state, LO So, since the conditional probability of devel- 
oping the common cause leak is multiplied against the initial state probability, and given that the 
first term in the equation is by far the dominant factor, the common cause conditional probability 
should be entered as 

P(CCF)=y L $ L 

Sequence 18 

This sequence occurs when APU/HYD systems 2 and 3 fail. The equations for independent sys- 
tem failures and common cause failures are the same as those described for LO sequence 6 The 
equation for a common cause leak is the same as that described for LO sequence 16 

Sequence 19 

This sequence occurs when all APU/HYD systems fail. The equations for independent system 
failures and common cause failures are the same as those described for LO sequence 7 The equa- 
tion for a common cause leak is the same as that described for LO sequence 16. 

Sequence 23 

This sequence occurs when any two out of the three APU/HYD systems fail. The equations for 
independent system failures and common cause failures are the same as those described for LO se- 
quence 1 1 The equation for a common cause leak is the same as that described for LO sequence 
16 

Sequence 24 

This sequence occurs when all three APU/HYD systems fail. The equations for independent sys- 
tem failures and common cause failures are the same as those described for LO sequence 7. The 
equation for a common cause leak is the same as that described for LO sequence 16 

9.I.3.2 All Three APU Units Leak Hydrazine During Reentry. TAEM and Landing (LT 
State! 

Sequence 4 

This sequence occurs when APU/HYD systems 1 and 2 or 1 and 3 fail The equations for inde- 
pendent system failures and common cause failures are the same as those described for LO se- 
quence 4. 


(li X L is the frequency of event LK in Table 9.3-1. 
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Sequence 6 

This sequence occurs when APU/HYD systems 2 and 3 fail. The equations for independent sys- 
tem failures and common cause failures are the same as those described for LO sequence 6 

Sequence 7 

This sequence occurs when all three APU/HYD systems fail. The equations for independent sys- 
tem failures and common cause failures are the same as those described for LO sequence 7. 

Sequence 11 

This sequence occurs when any two out of the three APU/HYD systems fail. The equations for 
independent system failures and common cause failures are the same as those described for LO se- 
quence 1 1 

Sequence 12 

This sequence occurs when any two out of the three APU/HYD systems fail The equations for 
independent system failures and common cause failures are the same as those described for LO se- 
quence 12 

9.I.3.3 All Three APU Units are OK During Reentry, TAEM and Landing (OK State) 
Sequence 4 

This sequence occurs when any two out of the three APU/HYD systems fail. The equations for 
independent system failures and common cause failures are the same as those described for LO se- 
quence 1 1 . 

Sequence 5 

This sequence occurs when all three APU/HYD systems fail. The equations for independent sys- 
tem failures and common cause failures are the same as those described for LO sequence 7 

Sequence 9 

This sequence occurs when APU/HYD systems 1 and 2 or 1 and 3 fail. The equations for inde- 
pendent system failures and common cause failures are the same as those described for LO se- 
quence 4. 

This sequence also involves a common cause treatment of APU leaks. Here, we are modeling any 
one of the three APUs develops a leak, which is basically a 1 out of 3 system, denoted as Q(l/3) 
There are three ways in which independent failures of this type can occur: Q,, Q, or Q. Rewrit- 
ing those terms in the MGL format using Q, for the independent failures yields the following 
equation for system failures: 

0(1/3) = 3@i 

As before, the failures are identified as: 

Oi = (l-P)0 
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Since Q in this case represents leakage failures over the exposure time, Q is replaced bv: 

0 = \ L t 

where X L is the leakage failure rate and l is the exposure time of the system If we substitute into 
Q(l/3) for Ql, then the equation for failures becomes: 

0(1/3) = 3(1 - Pi jkit 

Since independent failures are the only contributors in this equation, we get 
/W) = 3(l-fc.)*£/ 

Sequence 1 1 

This sequence occurs when APU/HYD systems 2 and 3 fail. The equations for independent sys- 
tem failures and common cause failures are the same as those described for LO sequence 6 The 
equation for independent leaks is the same as that described for OK sequence 9 

Sequence 12 

This sequence occurs when all three APU/HYD systems fail. The equations for independent sys- 
tem failures and common cause failures are the same as those described for LO sequence 7 The 
equation for independent leaks is the same as that described for OK sequence 9. 

Sequence 16 

This sequence occurs when any two out of the three APU/HYD systems fail. The equations for 
independent system failures and common cause failures are the same as those described for LO se- 
quence 1 1 . The equation for independent leaks is the same as that described for OK sequence 9 

Sequence 17 

This sequence occurs when all three APU/HYD systems fail. The equations for independent sys- 
tem failures and common cause failures are the same as those described for LO sequence 7. The 
equation for independent leaks is the same as that described for OK sequence 9 

Sequence 21 

This sequence occurs when APU/HYD systems 1 and 2 or 1 and 3 fail. The equations for inde- 
pendent system failures and common cause failures are the same as those described for LO se- 
quence 4. 

This sequence also involves a common cause treatment of APU leaks. Here, we are modeling all 
three APUs develop leaks The equations for independent and common cause failures are similar 
to those described for LO sequence 7, but with Q defined differently as in OK sequence 9. Omit- 
ting the algebra, the new independent and common cause failure rates can be determined by the 
following equations: 

P(CCF) = y L ^Lt+ f( 1 - P/.)pd 1 - Yi)^' 2 

/W) = (l-Pi)X t f 
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Sequence 23 

This sequence occurs when APU/HYD systems 2 and 3 fail. The equations for independent sys- 
tem failures and common cause failures are the same as those described for LO sequence 6 The 
equations for independent and common cause leaks are the same as those described for OK se- 
quence 2 1 

Sequence 24 

This sequence occurs when all three APU/HYD systems fail. The equations for independent sys- 
tem failures and common cause failures are the same as those described for LO sequence 7. The 
equations for independent and common cause leaks are the same as those described for OK se- 
quence 2 1 

Sequence 28 

This sequence occurs when any two out of the three APU/HYD systems fail The equations for 
independent system failures and common cause failures are the same as those described for LO se- 
quence 11 The equations for independent and common cause leaks are the same as those de- 
scribed for OK sequence 2 1 

Sequence 29 

This sequence occurs when all three APU/HYD systems fail. The equations for independent sys- 
tem failures and common cause failures are the same as those described for LO sequence 7 The 
equations for independent and common cause leaks are the same as those described for OK se- 
quence 2 1 

9.1.3.4 All Three API? Units are OK During Ascent (OK State) 

For the ascent phase, it is assumed that all APU units are already started, otherwise the launch se- 
quence would not have been completed. Hence, Q is now defined as: 

0 = Xt 

Sequence 4 

This sequence occurs when all three APU/HYD systems fail. The equations for independent sys- 
tem failures and common cause failures are similar to those described for LO sequence 7, but with 
Q defined differently Omitting the algebra, the new independent and common cause failure rates 
can be determined by the following equations: 

P(/F) = d-Pr)?i/ 

P(CC/ r ) = Y,|U/ + f(l -pr)P,(l -y r )X 2 t 2 

9.1.3.5 At Least One APU Unit is Leaking Hydrazine During Ascent (LK State) \ 
Sequence 6 

This sequence occurs when all three APU/HYD systems fail. The equations for independent sys- 
tem failures and common cause failures are the same as those described for OK sequence 4 The 
equation for independent leaks is the same as that described for OK sequence 9 
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Sequence 7 

This sequence occurs when one APU unit has an undetected leaks The equation for independent 
leaks is the same as that described for OK sequence 9 

Sequence 12 

This sequence occurs when ail three APU/HYD systems fail. The equations for independent sys- 
tem failures and common cause failures are the same as those described for OK sequence 4 The 
equation for independent leaks is the same as that described for OK sequence 9 

Sequence 16 

This sequence occurs when all three APU/HYD systems fail. The equations for independent sys- 
tem failures and common cause failures are the same as those described for OK sequence 4 The 
equations for independent and common cause leaks are the same as those described for OK se- 
quence 2 1 

Sequence 17 

This sequence occurs when all three APU units have undetected leaks. The equations for inde- 
pendent and common cause leaks are the same as those described for OK sequence 2 1 

Sequence 20 

This sequence occurs when all three APU/HYD systems fail. The equations for independent sys- 
tem failures and common cause failures are the same as those described for OK sequence 4 The 
equations for independent and common cause leaks are the same as those described for OK se- 
quence 2 1 . 

9. 1.3.6 MGL Parameters 
♦ 

The following point estimates are generic over all components and all failure modes. They were 
developed as part of a recent effort funded by EPRI to completely automate the process of ana- 
lyzing common cause failures in PRAs. The software is available through Boyer Chu at EPRI 
This recent effort was based on previous data development and MGL method development found 
in EPRI INP 3967 (1985), NUREG/CR-4780 (1988), and NUREG/CR-5801 (1993) 

For information on methods and procedures for common cause failure you can refer to 
NUREG/CR-4780 (1988) and NUREG/CR-5801 (1993). 

APU component failure rates are generally within the variability range of the generic database 
from which the Beta and Gamma factors are derived. We believe, therefore, that these are an in- 
dication of future failure rates of the APU, and the generic factors apply to the APUs 

We also used the generic data for common cause hydrazine leakage. We have found six leaks 
(see Section 9 2 2 6) Two of the leaks happened in the same mission (STS-9) for a common 
cause (carbonization and stress cracking of the injector). The Beta factor could be estimated as 
1/3 (3 of 6). However, we know that the manufacturing process has been altered to reduce the 
likelihood of this cause There has also been an effort to reduce the exposure of the nozzles to 
hydrazine between missions We have used, therefore, a generic Beta factor of 0 1 instead of the 
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data driven Beta factor of 1/3. We see no justification to apply a Beta factor less than indicated 
by the generic level. 

9.1.4 Equations Graphed in Fault Tree for Illustration 

As an example of how the independent failure rate and common cause failure rate equations de- 
veloped in the previous section are applied, see Figure 9.1-1. In the figure is a simple fault tree 
that shows the sequence 4 LOV for the ascent phase in which no hydrazine leaks have occurred 



P(1 IF) P(CCF) P(2 IF) P(CCF) 


P(3 IF) P(CCF) 


Figure 9.1-1: 


Fault Tree for LOV Sequence 4 for an OK State During Ascent 
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For the LOV to occur, all three APU/HYD systems must fail. System failures can occur inde- 
pendently, or as common cause failures These failure rates were determined from the total failure 
rate using the Multiple Greek Letter method previously described, and are shown under the basic 
events to which they pertain 

From before, we defined P(CCF) and P(IF) as: 

P(/F) = (l-|3,)^ 

P(CCF) = y r (3 r X/ + i( 1 - (3 r )$ r ( 1 - y, )X 2 r 

9.2 Prior Distribution for Model 

The priors used in the assessment of P(IF) came from a previous study (McDonnell Douglas As- 
tronautics Company Engineering Services, Space Shuttle Probabilistic Risk Assessment Proof-of- 
Concept Study Volume III Auxiliary Power Unit and Hydraulic Power Unit Analysis Report, pa- 
per WP-VA88004-03, 1987) As described previously, the priors were updated at the system 
level with observed Shuttle in flight failures 

9.2.1 Inputs Needed to Develop Priors 

The study performed in 1 987 was done at a component level; i.e., the failure rates of the compo- 
nents in the system were calculated, and no quantification was done on the system level This 
study has defined basic events on the system level in order to have such information for future 
decision-making Two prior distributions, the failure to start on demand and the run failure rate, 
were estimated using the component level data. 

The fault tree in Figure 9 2-1 depicts the component failures that most contribute to a system fail- 
ure to run These components failure rates were agglomerated to obtain a prior distribution for 
APU system failure to run (events. ID, IF and IS). 

Similarly, Figure 9 2-2 depicts a fault tree in which any of the component failures may cause a 
failure to start condition These component failure rates were agglomerated for the start 
contribution of event IS 

The 1987 study performed a detailed fault tree for turbine overspeed. Quantification of that tree 
showed that four events dominated the failure probability. These are shown in a simplified fault 
tree in Figure 9 2-3 


x 
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Figure 9.2-1: Fault Tree for APU/HYDAVSB Run Failures 
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9.2.2 Output Distributions for Priors 
9.2.2. 1 APU Failure to Run 

The first prior calculated is that for an APU to fail to run Table 9 2-1 lists the component failures 
frequency distributions that were in the model for APU subsystem run failures 


Failure 

Mean-Dist 

5th percentile 

Median 

95th percentile 

Ref. ( l ) j 

Primary Valve Fails Closed When Pulsing 

4.481 E-0 3 

3 494E-04 

2.404E-03 

1 225E-02 


Isol. Valve Plugs (Contamination i When Open 

i 086E-06 

4 681E-08 

4.343E-07 

3.875E-06 

I 

Magnetic Pickup Unit Fails Low 

2.240E-03 

1 747E-04 

1.202E-03 

6. 127E-03 

l 

Fuel Pump Fails To Run 

7.685E-05 

2.791E-06 

2.887E-05 

2.797E-04 


Lube Oil Pump Fails To Run 

7.685E-05 

2.791E-06 | 

2.887E-05 

2.797E-04 

! 

Lube Oil System Loss Of Flow 

2.664E-03 

9 334E-05 I 

9.698E-04 

9 681E-03 

1 i 

Gas Generator Fails To Run 

1 436E-04 

9.020E-07 

2.467E-05 

4 429E-04 

. i 

Turbine Fails To Run 

6.04 IE-04 

2.722E-05 

2.350E-04 

1 837E-03 


Gearbox Fails To Run 

2.628E-05 

9.323E-07 

9.672E-06 

9.651E-05 

1 

Fuel Inline Filter Plugs 

7.959E-06 

2.799E-07 

2.907E-06 

2.894E-05 


Fuel Pump Filter Plugs 

2.040E-04 

2.722E-06 

5.002E-05 

6 507E-04 


Failure Of Electric Pwt To Secondare Valves 

4 926E-05 

9.231E-07 

1.357E-05 

1.866E-04 

1 

HYD Accumulator Fails To Run 

2.664E-05 

1 0E-06 

1.0E-05 

1.0E-04 

2 

HYD Reservoir Fails To Run 

2.664E-05 

1.0E-06 

1.0E-05 

1.0E-04 

2 

HYD Line Filter Plugs 

7.840E-06 

6.0E-06 

7.746E-06 

1.0E-05 

3 

HYD Relief Valve Opens Spuriously 

1.212E-05 

3.0E-06 

9.487E-06 

3.0E-05 

5 

FTYD Main Pump Fails To Run 

4.040E-05 

1 0E-05 

3.162E-05 

1.0E-04 

2.5 

HYD Circulation Pump Fails To Run 

1.127E-04 

7.0E-06 

5.292E-05 

4.0E-04 

2,3 

— 1 

HYD Fluid Leak (Catastrophic) 

4.332E-04 

5.0E-06 

5 0E-05 

5.0E-04 

1,3,4 

Water Spray Boiler Fails To Coot 

3.385E-05 

1.0E-04 

2.236E-05 

5.0E-06 

2.5 

Total Fail To Run/Hr 

9.150E-03 

3.059E-03 

6.956E-03 

2. 174E-02 



0 ) 


1 . 1 987 APU Stud\ 4. OREDA 6 Shuttle history of 0 failures is 882 demands in a maximum 

2. NPRD-95 5. WASH- 1400 entropy log normal: 882 = (6 APU Starts/Missions + 4 HPU starts 

3. IEEE-STD-500 + 4 HPU Hot Fire Tests ) x 63 

Table 9.2-1: Component Failures Leading to APU System Run Failure (Failures/hour) 

In order to calculate the distribution of the sum of these failures, an @Risk Monte Carlo simula- 
tion (20,000 trials) in a Lotus 1-2-3 spreadsheet was used. A graphical representation of this dis- 
tribution can be seen in Figure 9.2-4 
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9.2.2.2 APU Failure to Start 

In Table 9 2-2, various component failures are listed that will lead to a failed-start condition 
Once again, to calculate the failed-start distribution based on the sum of the various component 
failures, an (a)Risk Monte Carlo simulation (20.000 trials) in a Lotus 1-2-3 spreadsheet was used 



Figure 9.2-4: ^DRisk Simulation Results for Failure to Run Frequency 
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Failure 

Mean-Dist 

5th percentile 

Median 

1 95th percentile 

! Reference 

Bypass Valve Fails To Open On Demand 

4.689E-04 

1.690E-05 

1.730E-04 

1 276E-03 

| 

Common Cause Heater Train 13 Failure 

6.5E-05 

4.6E-006 

3.6E-05 

1.5E-04 

1 

Common Cause Lube Oil Heater Pram Failure 

2.1E-05 

5.3E-07 

7 8E-06 

5 7E-05 

l 

Fuel Pump Fails To Start 

l 278E-05 

9. 1 39E-08 

2. 138E-06 

4.702E-05 

1 

Lube Oil Pump Fails To Start 

1 278E-05 

9 1 39E-08 

2 138E-06 

4 702E-05 

1 

Turbine Fails To Start 

1.278E-05 

9 139E-08 

2.138E-06 

4.702E-05 

1 

Gearbox Fails To Start 

1.278E-05 

9 139E-08 

2. 138E-06 

4 702E-05 

1 

Electric P\vt To Pnman Valve Fails 

6 2E-04 

1 3E-05 

2.0E-04 

1.9E-03 

1 

Electric Power To Secondan Valve Fails 

6.207F.-04 

1.329E-05 

2.045E-0 4 

1.879E-03 

i i 

MPU Fails Low 

7.409E-04 

3.447E-05 

3.260E-04 

2.032E-03 

l 

HYD Main Pump Fails To Start 

4.0E-04 

4.683E-05 

2.426E-04 

1.257E-05 

6 ! 

HYD Accumulator Has No Pressure At Start 

4 475E-03 

l 68E-04 

1.680E-03 

1 68E-02 

2"' 

HYD Reservoir Low/No Fluid At Start 

4.475E-03 

1 68E-04 

1 680E-03 

1 68E-02 

2"' 

Total Failures To Start 

1 205E-02 

3.322E-03 

7 949E-03 j 

3.342E-02 

; 


Convened hourly failure rate to a start failure by multiplication by exposure time (168 hours) 


1. 1987 APU Study 4 OREDA 6. Shuttle history of 0 failures is 882 demands in 

2. NPRD-95 5. WASH-1400 a maximum entropy log normal: 882 = <6 APU Stans/ 

3. IEEE-STD-500 Missions + 4 HPU Starts + HPU Hot Fire Tests) \ 63 

Table 9.2-2: Component Failures Leading to APU System Start Failure 

(Failures/Demand to Start) 

The @Risk Monte Carlo simulation (20,000 trials) for the failure to start probability distribution 
can be seen in Figure 9 2-5 


Forecast: TOTAL FAILURES TO START 


Cell D47 


Frequency Chart 19.671 Trials Shown 
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Figure 9.2-5: ^Risk Simulation Results for Failure to Start Frequency 
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9.2.2.3 Turbine Overspeed and Hub Failure at Normal Speed 

Figure 9 2-3 depicted the fault tree for a turbine overspeed condition which is an initiating event 
(TU). Prior distributions were obtained from the 1987 APU study. The following Table 9 2-3 
provides the priors and the in-flight shuttle data used for the likelihood function The posterior 
failure rates of these various components are listed in Table 9.2-5. To calculate the turbine over- 
speed frequency distribution based on fault tree logic, @Risk Monte Carlo simulation (20.000 tri- 
als) in a Lotus 1-2-3 spreadsheet was used 


Event 

Prior (Log Normal) 
5 Percentile 

Prior (Log Normal) 
95 Percentile 

Shuttle 
Specific Data 

PASVC 

8x10 -5/D 

7x10 -3/D 

1/378 Demands 

TASVE 

1x10 -4/hr 

1x10 -2/hr 

0/0 ,:) 

TAMIL 

5x10 -5/hr 

5x10 -3/hr 

1/796 hrs 3) 

PAPVE 

1x10 -4/hr 

1x10 -2/hr 

1/292 hrs 41 


11 2 Demand/ APU x 63 millions x 3 APUs/Missons = 378 Demands 

<v Failure of primary valve in mission SB-3 1 generated a demand on the secondary valve for a few minutes before 
the launch was scrubbed The secondary valve did not fail. 

(J> 1.33 hours/ APU x 3 APUs/Missions x 3 HPUs/APUs x 63 Missions = 796 hours 
(4) 1.33 hours/ APU x 3 APUs/Missions x 63 Missions = 292 

Table 9.2-3: Priors and In-Flight Shuttle Data Used for the Likelihood Function 


Shuttle in-flight failures used in the above table are described below in Table 9.2-4: 


Car 

No 

Date 

Flight 

No. 

APU 

No. 

Basic 

Event 

Description 

AC85 11-01 

08/06/84 

41B 

3 

PASVC 

GGVM Shut off valve leaking at a 
rate of 248 scim due to a broken 
poppet valve seat 

AC0055-01 

07/24/81 

1 

2 

TAMIL 

MPU #2 was inopr. , MPU resistance 
measured open 

IFA 

STS-31-01 

04/24/91 

STS-31 

1 

PAPVE 

Primary pulse control valve chipped 
(valve sent failure) allowing 
hydrazine to continue flowing 
Secondary valve took over. Launch 
scrubbed 


Table 9.2-4: APU Turbine Component Failure Descriptions 
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The @.Risk Monte Carlo simulation (20,000 trials) for the failure to start probability distribution 
can be seen in Figure 92-6 

Failure | Mean-Dist 5th percentile Median 95th percentile 

Primary Valve Fails Open During Pulsing ! 1 477E-03 6 852E-05 6.500E-04 4 054E-03 

Magnetic Pickup Unit Fails Low 2.240E-03 1 747E-04 1.202E-03 6 127E-03 

Secondary Valve Fails Open During Pulsing 9.602E-04 5.032E-05 4 484E-04 2.685E-03 

Secondary Valve Fails To Close On Demand 2.631E-03 2.305E-04 1 504E-03 7 500E-03 

Total Probability For Turbine 2.518E-04 6.733E-06 7 530E-05 9 403E-04 

Overspeed/Flight ' ' ' 

All APUs included 

Table 9.2-5: Posterior Failure Rate Data for Component Failures 
Leading to Turbine Overspeed 


Forecast: TOTAL TURBINE OVERSPEED FREQUENCY PER FL 
Cell D6 Frequency Chart 19.591 Trials Shown 



O.OOOE+O 5.625E-5 1.125E-4 1 688E-4 2.250E-4 



Figure 9.2-6: folRisk Simulation Results for Turbine Overspeed Frequency 

Turbine hub failure at normal speed is not a significant contributor to the probability of this event 
APU hub cracking is mapped and it has been shown by analysis (at JSC) that the likelihood of 
blade cracking propagating to a hub crack is very small. Furthermore, experiments on hub 
breakup show that even a notched or drilled hub requires a speed significantly above nominal to 
induce hub failure NPRD-95 has a value of turbine failure of about 10 -5/hr. for all modes com- 
bined, not just hub failure Therefore, hub failure at normal speed is at least an order of magni- 
tude less in probability then turbine overspeed. 
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9.2.2.4 Other Prior Distributions 


The remaining prior distributions were taken directly from the 1987 study, were defined by MGL 
analysis, or were a result of our assessment All of the prior distributions are in Table 9 2-8 The 
two letter descriptions were discussed previously in Table 9 1-1 

Some events, such as an APU OK state, are not in this table since they are not incorporated into 
the quantification of the scenarios For some inputs only a mean value was estimated 

9.2.2.5 Large Exhaust Gas or Hydrazine Leak ILL) 

This prior distribution was generated by breaking the event down into its three major contribu- 
tors: tank/pipe rupture; hot gas leak, and isolation valve leak/rupture. For both the tank/pipe rup- 
ture and hot gas leak modes, a failure rate range based on variability was defined from 
Nonelectronic Parts Reliability Data 1995 (NPRD-95). The median value from this range was 
multiplied by the 1 5 hour total APU run time for ascent and descent, and times 3 for the number 
of APUs, to get a point estimate failure probability for the system per flight 

A failure rate range was also defined for the isolation valve leak from NPRD-95 In this case, the 
range was treated as defining the 5th and 95th percentiles of a lognormal distribution which was 
used as the prior in a Bayesian update The evidence data consisted of two incidents in which 
cracks were found in APU and HPU isolation valves which did not propagate to a through crack 
of the valve casing that separates the flow path from the solenoid cavity. The concern here is that 
when hydrazine comes in contract with the solenoid it could decompose and rupture the isolation 
valve causing an unisolatable leak. These were not "hard" failures, but are valid evidence of fail- 
ure potential. They were treated, therefore, by a near miss methodology as follows. 

The solution was to treat the data according to the probability that these incidents might propa- 
gate into "hard" failures on other flights, where the circumstances might be different This is a 
matter of judgment on the part of the analyst. In this case, since these incidents were determined 
to have a low probability of propagating to "hard" failures, the evidence was treated as having a 
5% probability of representing 1 failure in 72000 hours (a lower bounding estimate of the total ex- 
posure time for APU and HPU isolation valves), and a 95% chance of representing zero failures in 
72000 hours The overall posterior distribution was then generated by taking a weighted average 
(according to the previously determined weights) of the two possible posterior distributions 

The following Table 9 2-6 shows the prior distributions. 



5 Percentile 

95 Percentile 

Exposure Time 

Tank/Pipe Replace (prior only) 

10 -9/hr. 

10 -7/hr. 

63 x 3 \ 1.5 hrs. 

Hot Gas Leak (pnor only) 

same 

same 

same 

Isolation Valve (pnor) 

1x10 -7/hr. 

10 -7/hr. 

72000 hrs. 

Isolation Valve (updated) 

1.2 x 10 -9/hr. 

8 x 10 -8/hr. 



Table 9.2-6: Distributions for Large Hydrazine or Exhaust Gas Leak 
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The data used in the isolation valve analysis is anecdotal. We are aware of a crack discovered in 
an APU isolation valve before STS-1 We are also aware of a recent crack found in an HPU, that 
when tested post-flight, leaked hydrazine into the solenoid cavity. 

9.2. 2.6 Leak in One APU Unit (LK) 

A Bayesian analysis was not performed for hydrazine leaks. Shuttle in-flight experience was used 
to generate a point estimate of the rate at which hydrazine leaks develop This rate was based on 
the data in Table 9 2-7, showing 6 leaks in 31752 hours of exposure time (63 flights x 3 APUs x 
assumed average flight duration of 7 days x 24 hours/day). To generate a probability distribution, 
the point estimate was assumed to be the mean value of a maximum entropy (a = 1 0) lognormal 
distribution 

This assessment was based on a number of assumptions. We assume that the APUs are leak 
checked and only launched if found acceptable Hydrazine leaks may occur at any time during the 
mission Exposure to hydrazine may cause leaks even without the system operating However, 
the leaks may only be revealed when the system is operating. 


CAR 

IFAS 

Flight 

Date 

APU# 

Description 

** 


ICR 

04/12/81 

1 

Hyd. leak from fuel pump cover 

** 


ICR 

04/12/81 


Hyd. leak at fuel pump inlet fitting 

09F0 12-01 


STS-9 

1 1/28/83 

1 

Hyd. leak from cracked fuel injector 
tube * 

09F0 13-01 


STS-9 


2 

Hyd. leak from cracked fuel injector 
tube * 


X 

STS-51F 

07/29/85 

1 

Hyd. leak into gearbox *** 


X 

STS-45 

03/24/92 

1 

Hyd. leak into gearbox **** 


* APU failed due to the hydrazine leak 
** Data from APU subsystem manager database 

*** This leak was detected by increased pressure in the gearbox and the start of APU2 was 
delayed until Vrel=10k 

**** On this same mission APU2 leaked oil / GN2 from the gearbox to the aft compartment 

X STS-45 03/24/92 2 Lube oil / GN2 leak from gearbox 

through turbine seal 


Table 9.2-7: Hydrazine Leakage History on STS 
















The APUs contain many potential leakage sites The data simply indicates that some have already 
occurred Others have yet to become active Because of this, we do not necessarily view 
corrective actions to individual leakage sites as reducing the predicted frequency of leaks Rather, 
we treat past leaks as indicative of future rates 

9. 2.2. 7 Leak Detected Confirmed (LD and LA) 

The first four leaks above were not detected during the mission The last two leaks were detected 
by increased pressure in the gearbox. We assess the probability of leak detection, and APU de- 
layed start, as 1 in 6 based on this data Since no action has ever been taken on leaks during as- 
cent, this indicated zero probability of leak detection on ascent. The use of zero detected and 
confirmed leaks during ascent avoids the paradox associated with a groundrule of this study The 
groundrule is that aborts are assumed to be successful Therefore, a failure that leads to an APU 
induced abort actually reduces the calculated risk. Flight rules call for an APU shutdown and an 
MDF abort if a single hydrazine leak is detected and confirmed. Two such leaks lead to a PLS 
abort. To avoid having to treat leaks as successes, we assume no detection on ascent 

9.2.2.8 Own Leakage/Other Leakage Induced Failures (LF and LO) 

These prior distributions were defined through a data based assessment utilizing the 1 987 study. 
PRACA records, hazards analyses and an understanding of the phenomenology of the failure 
tnodes. Specifically, the mean value for own leakage induced failure during descent was defined 
from the data shown in Table 9 2-7, indicating 2 APU failures in 6 leaks. The mean values for the 
other three conditional probabilities were then derived by maintaining the ratios between the val- 
ues from the 1987 study and scaling them to the 0.3 defined for LF (des) This produced values 
of 0.2 for LO (des), 0 1 for LF (asc) and 0.008 for LO (asc). 

An assessment of the applicable distributions was then made for the four probabilities In the case 
of LF (des), an upper 4a bound of 0 5 was defined for the distribution, assuming a normal distri- 
bution. For LF (asc), an upper 4a bound of 0.2 was defined, again assuming a normal distribu- 
tion. And for LO (asc), given the small value of the mean (0.008), a lognormal distribution was 
judged to be more applicable, as greater uncertainty is expected for small defined values For this 
distribution, an Error Factor of 5 was assumed. For the normal distributions, values below zero 
should be truncated when using the defined distributions. 

In the case of LO (des), data is available for a Bayesian update of the assessed value, so the distri- 
bution needs to be defined much broader than for the other cases (where the posterior was being 
defined directly), in order to overlap the likelihood function of the evidence The prior distribu- 
tion was defined using 0.2 as the mean value for a maximum entropy (a = 1 0) lognormal distribu- 
tion. This was updated with evidence of 0 APU failures in 12 APUs exposed to other units 
leaking. Note the following for each leak: There are 2 opportunities for another APU to fail ow- 
ing to the leak and 1 opportunity for itself to fail. For 6 leaks, there are 6 x 2 = 12 opportunities 
for failure of another APU owing to the leak. None has occurred. The mean value of LO (des) 
drops to 0 .07 given this evidence The result of the Bayesian analysis is shown graphically in Fig- 
ure 9.2-7 
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9.2.2.8.1 Sensitivity Treatment of APU 3 Failures 

The previous section described the baseline treatment of these conditional probabilities In the 
case of APU failure due to another units leakage (LO), it could be argued that APU 3 needs to be 
treated differently APU 3 is physically located about 6' (on the starboard side) from the other 
two units, which are only a few inches apart Thus, we believe that there is a lesser chance of 
APU 3 failing due to leakage in unit 1 than an APU 2 failure. 

Our fault tree treatment is conservative in that each APU is considered "identical" It does not 
capture "full credit" for cases in which the actual APU 3 is leaking, which would lead to reduced 
LO conditional probabilities for both of the other units. 

One way of capturing this logic would be to drop the LO conditional probability to a lower value 
for all of the APU 3 terms In order to illustrate the affect this would have on the results, two of 
the most significant leakage fault trees have been quantified, at the mean value, for these two 
cases. For the baseline case 

• OK Initial State on Entry, Seq 16 4 159E-04 

• OK Initial State on Entry, Seq. 1 7 1.700E-04 

For the sensitivity case, using as an example 0 01 as the unit 3 LO (des) probability: 

• OK Initial State on Entry, Seq 16 2.479E-04 

• OK Initial State on Entry, Seq 17 6.214E-05 
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Figure 9.2-7: Bayesian Analysis Result for LO (Des) 
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9.2.2.9 Unsuccessful Single APU/HYD Unit Reentry. TAEM and Landing (UL) 

This prior distribution was generated according to judgment weighted by several factors First, 
such landings are regularly simulated successfully in training. To the extent that the simulator is 
successful in characterizing the vehicle response given a single APU/HYD unit, this gives cre- 
dence to a very high probability of success However, this is tempered by the fact that a single 
APU/HYD unit landing is not certified by the program. Unfavorable weather conditions coupled 
with slower control rates could potentially indicate a much higher probability of a failed landing 
The assessment team has translated this into a range of 80% to 100% for a successful landing It 
was also determined that the lack of a strong conviction for any values within this range war- 
ranted a uniform distribution for this range 
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PRIOR (/hr or /demand) 


ID 

(55-factor 

r 

Mean 



Median 

5th 

95th 

CE 

N/A 

0 5 (LL) 
0 88 (TU) 


i 

| 

CF 

Calculated 

using applicable 

MGL method 

formulas 


CL 

Calculated 

using applicable 

MGL method 

formulas 


CO 

N/A 

1 




CS 

Calculated 

using applicable 

MGL method 

formulas 


HB 

N/A 

0 9 




ID 

N/A 

9 1 50E-03/hr 

6.956E-03/hr 

3 059E-03/hr 

2 174E-02/hr 

IF 

N/A 

9. 150E-03/hr 

6.956E-03/hr 

3 059E-03/hr 

2. 174E-02/hr 

IS 

N/A 

1 205E-02/start 
9 150E-03/hr 

7.949E-03/start 

6.956E-03/hr 

3.322E-03/start 

3.059E-03/hr 

3.342E-02/start 
2. 174E-02/hr 







LD 

N/A 

0.0 (asc) 
0.1667 (des) 




LF 

OS 

N/A 

see posterior 

1 0E-01 (asc) 

1 0E-01 (asc) 

6.0E-02 (asc) 

1 4E-01 (asc) 

LK 

N/A 

1 890E-04/hr 

1.152E-04/hr 

2.224E-05/hr 

5.971E-04/hr 

LL 

N/A 

2 8E-05 




LO 

LS 

N/A 

8 0E-03 (asc) 
2.0E-1 (des) 

5.0E-03 (asc) 
1.2E -01 

9.9E-04 (asc) 
2.3E-02 

2.5E-02 (asc) 
6.36-01 

LU 

N/A 

1.0 (asc) 
0.8333 (des) 




LZ 

N/A 

1 .0 (asc) 

0 8333 (des) 




SI 

N/A 

1 0(LL) 
0 88 (TU) 




SR 

N/A 

0 98795/start 

0.99205/start 

0.99668/start 

,96658/start 

TU 

N/A 


7.530E-05 

6 733E-06 

9.403E-04 

UL 

N/A 

0.1 

0.1 

0.01 

0.19 


Table 9.2-8: Prior Probability Distributions 
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9.3 Posterior Distributions for APU/HYDAYSB Failure to Run and Start (Ascent and 
Descent 

Posterior distributions were determined by updating the prior distributions with available data us- 
ing Bayes' Theorem Data points not only include failures of the APU and HYD systems, but also 
the Water Spray Boiler (WSB) WSB failures, which lead to an APU shutdown and subsequent 
hydraulic loss, were not examined in the previous 1987 study, so data was extracted for these fail- 
ures from all Shuttle flights Other data points pertaining to these failures were taken from post- 
Challenger flights (1988) to STS-65 (flight 63, 7/8/94). 

9.3.1 Water Spray Boiler Failures Used in the Analysis 

9.3. 1.1 03-23-1982 STS-3 

WSB 3 freeze-up during ascent APU temperature message at lift-off plus 4 minutes 23 seconds 
reported lube oil temperature climbing Controller B was then selected, but the temperature con- 
tinued to rise. APU 3 shutdown at liftoff plus 8 minutes, and the right main engine went into hy- 
draulic lock-up After ascent, at lift-off plus one hour, controller A was then selected; both 
controllers appeared to be working properly. The maximum APU 3 lube oil temperature was 
330°F, and the maximum bearing temperature was between 355 and 360°F FCS checkout tested 
both controllers, and both were 100% nominal. This situation was also seen on STS-1 and 2 

9.3.1.2 08-02-1991 STS-43 

WSB 2 failed to provide cooling to the auxiliary power unit 2 lube oil throughout the mission 
APU 2 (serial number 208) has been involved in lube oil over temperatures during seven of its 
eight flights The WSB did not cool the lube oil on controller A following ascent. The crew 
switched to controller B when the lube oil return temperature reached approximately 297°F The 
APU was operated an additional 1.5 minutes on the B controller, and still no cooling was ob- 
served. The APU was shutdown when the lube oil return temperature reached 323°F The WSB 
is designed to control the lube oil temperature to 250±2°F. 

An extended flight control system check-out using APU 2 was performed and the WSB was not 
cooling on either controller The APU ran for 1 1 minutes during check-out, then was shutdown 
and declared lost During descent, APU 2 was activated at terminal area energy management due 
to the lack of cooling. The lube oil reached 259°F before shutdown after wheel stop with no evi- 
dence of cooling The spray boiler may not have had the chance to function, however, as this 
temperature is close to the 250°F control limit 

9.3. 1.3 09-12-1992 STS-47 

During ascent, WSB 3 (serial number 15) exhibited no cooling until just prior to the early shut- 
down of APU 3 The lube oil temperature reached approximately 292°F when the controller was 
switched from A to B The lube oil temperature continued to rise to 3 1 1°F when the decision was 
made to shut down APU 3 early Prior to APU 3 deactivation, the WSB GN2 regulator outlet 
pressure indicated that spraying had begun WSB 3 continued to spray until the spray logic was 
turned off (1 minute 43 seconds) Steady-state cooling was never achieved on either controller 
since the lube oil temperature was not allowed to drop to 250°F prior to boiler spray logic 
shutdown. 
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APU 3 was selected to perform FCS checkout The checkout time frame was extended to verify 
WSB 3 cooling performance The extended run time demonstrated satisfactory cooling on both 
controllers (3 minutes 42 seconds for B, then 1 minute 47 seconds for A) WSB lube oil and hy- 
draulic cooling performance during entry was nominal 

Spray bar freeze up remains the most likely cause of the WSB failure, although it could have re- 
sulted from spray valve or controller failures 

9.3. 1.4 01-13-1993 STS-54 

During ascent, WSB 3 (serial number 15) exhibited no cooling until just after the early shutdown 
of APU 3 The lube oil return temperature reached approximately 295°F when the WSB was 
switched from controller A to B The lube oil return temperature reached 315°F when the deci- 
sion was made to shut down APU 3 early After deactivation, the WSB 3 GN2 regulator pressure 
indicated that spraying had started WSB 3 continued to spray until the spray logic was turned off 
(approximately 35 seconds) Steady-state cooling was never achieved on controller A or B 

APU 3 was selected to perform the FCS check-out The FCS checkout time frame was extended 
to verify WSB cooling performance The extended APU 3 run-time demonstrated satisfactory 
cooling on both controllers, with a minor overcool observed on controller A APU performance 
using controller B during entry was nominal. 

Spray bar freeze-up remains the most probable cause of this cooling problem However, data 
analysis also indicated that the local pressure at the vent nozzle of system 3 during ascent was 
somewhat higher than the other two systems. This high pressure is due to the location of the sys- 
tem 3 vent nozzle outlet (it is farther forward than the system 1 and 2 vent nozzle outlets) Sys- 
tem 3’s pressure remains higher than the other systems for the first 80 seconds of ascent, which is 
believed to be a contributing factor toward the repeated freeze-up anomalies observed in system 
3. 

Spray bar freeze-up conditions occur when the water triple point condition is met inside the heat 
exchanger. In the worst case freeze-ups, it is postulated the water triple point was reached prior 
to MECO. By increasing the water preload, the duration of heat exchanger tube bundle/water 
preload contact can be increased, which will reduce the likelihood/severity of spray bar freeze-up 
by maintaining pressure above the water triple point past MECO. The ongoing spray bar freeze- 
up test analysis indicates that the severity of the bar freeze-up at water triple point conditions may 
inversely correlate to the amount of water in the boiler. Therefore, KSC has been requested to 
preload WSB 3 to 5 +/-0 1 lbs of water (normal is 3.75 +/-0.24 lbs ). 

9.3.2 Possible Water Spray Boiler Failure 

It is unknown whether or not this reported problem is an actual failure or not For this analysis, it 
has not been considered as an actual data point. 

9.3.2. 1 04-29-1985 STS-51B 

Shortly after MECO, the backup flight system indicated an APU 3 lube oil over temperature con- 
dition The crew switched from controller A to B at a lube oil temperature of 320°F The tem- 
perature continued to rise for an additional 20 seconds and reached a peak of 337°F The crew 
was instructed to shutdown APU 3 to avoid reaching the lube oil temperature limit of 355°F The 
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APU 3 lube oil temperature had decreased to approximately 320°F at shutdown, indicating that 
water spray boiler controller 3B was properly controlling lube oil cooling Post flight testing has 
been unsuccessful in duplicating this problem The A controller was replaced. 

9.3.3 Possible Hydraulic System Failure 

9.3.3. 1 02-28-1990 STS-36 

Appendix C contains descriptions from PRACA records and hazards analyses of a "near-miss" 
failure involving a flex hose rupture in the hydraulic system. 

9.3.4 Updated Posterior Distribution 

The four WSB failures in Section 9 3 1 were counted as APU shutdowns. All three of these fail- 
ures occurred during the ascent phase One of these failures was permanent and caused a late re- 
start of the APU during the entry phase, but was not counted as a failure during the reentry phase 
because it successfully completed its mission For reentry, the hydraulic system rupture is 
counted as a possible APU/HYD unit failure in the update The methodology for this type of up- 
date is described in section 9 2 2 5, where in this case the weighting uses 50% for 1 failure and 
50% for zero failures In the data column, if no data is available (i.e., no "trials"), an N/A for not 
applicable is placed in the box 

The common cause failure calculations for the MGL formulas used the ID and IS values, assum- 
ing 20 minutes for ascent and 1 hour for descent. The MGL calculations also used generic P and 
y values of 0. 1 and 0 27, respectively 

Table 9.3-1 lists the data and corresponding posterior probability distributions for the basic 
events. The means from these data distributions are used as basic event probability distribution 
inputs for use in SAIC's CAFTA model 


\ 
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ID 

Data 

POSTERIOR (/hr or /demand) 

Mean 

Median 

5th 

95th 

CE 

N/A 

0.5 (LL) 
0 88 (TU) 




CF 

Calculated 

using applicable 

MGL method 

formulas 


CL 

Calculated 

using applicable 

MGL method 

formulas 


CO 

N/A 

1 




CS 

Calculated 

using applicable 

MGL method 

formulas 


HB 

N/A 

0.9 




ID 

4/63 hrs 

2 078E-02/hr 

1 931E-02/hr 

1.030E-02/hr 

3.622E-02/hr 

IF 

4/63 hrs 

2.078E-02/hr 

1.931E-02/hr 

1.030E -02/hr 

3 622E-02/hr 

IS 

0/189 starts 
0 to 1/252 hrs 

5.677E-03/start 

6.479E-03/hr 

p 

4.448E-03/start 

5.614E-03/hr 

1.433E-03/start 

2.369E-03/hr 

1. 194E-02/start 
1 219E-02/hr 

LA 

N/A 

0.0 (asc) 

0 1667 (des) 




LD 

N/A 

0 0 (asc) 
0.1667 (des) 




LF 

N/A 

1 0E-01 (asc) 

1 0E-01 (asc) 

6.0E-02 (asc) 

1.4E-01 (asc) 

OS 

2/6 Leaks 

3.0E-01 (des) 

3 0E-01 (des) 

2.2E-01 (des) 

3 8E-01 (des) 


N/A 

1 890E-04/hr 

1 . 1 52E-04/hr 

2.224E-05/hr 

5.971E-04/hr 

LL 

N/A 

2.8E-05 




LO 

N/A 

8.0E-03 (asc) 

5 0E-03 (asc) 

9.9E-04 (asc) 

2.5E-02 (asc) 

LS 

0/12 Leaks 

7.0E-02 (des) 

5.3E-02 (des) 

1.4E-02 (des) 

1 6E-01 (des) 

LU 

N/A 

1.0 (asc) 
0.8333 (des) 




LZ 

N/A 

1 0 (asc) 

0 8333 (des) 




SI 

N/A 

1.0 (LL) 
0.88 (TU) 




SR 

N/A 

0.99432/start 

0.99555/start 

0.99857/start 

0.98806/start 

TU 

N/A 

6 962E-05 

5.501E-05 

1 974E-05 

1 672E-04 

UL 

N/A 

0.1 

0.1 

001 

0.19 x 


Table 9.3-1 : Posterior Probability Distributions 
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9.4 APU/HYDAVSB ANALYSIS FOR SSME MODEL 

The APU failure probability assessment for the SSME model being produced at SAIC is some- 
what different than that for this APU model First, the exposure time is at most 520 seconds in- 
stead of 20 minutes Second, only 1 of the WSB failures is relevant (STS-3) for purposes of 
calculating engine hydraulic lockup probability. 

We started with the prior distribution for IF, given in Table 9 2-6, multiplied against the 520 sec- 
ond time period to produce a probability of failure (POF). We updated with 1 failure in 63 mis- 
sions to produce a posterior This represents the case in which the WSB failure and APU 
shutdown continues to be representative of how MCC and crew will react to a WSB failure Since 
STS-3, other WSB failures have not resulted in a call for APU shutdown before MECO Flight 
Rules indicate that APU shutdowns should occur post-MECO. 

We also updated the same prior distribution for IF with 0 failures in 63 missions This is like say- 
ing that STS-3 never happened and gives an overly optimistic assessment An accurate assess- 
ment lies somewhere in between We used a weighted average of each posterior where each 
update was given equal probability of being the correct one. 

The Bayesian calculation is shown in Figure 9 4 1. 

The MGL method was used to calculate the probability of loss of hydraulics for a single engine 
and for two engines as follows: 

1 Engine Goes into Hydraulic Lockup via Hydraulic Failure During Ascent 
Q = 3(l-p)^ APU =3 (1-0.1) I.5E-04 = 4E-04 

2 Engines Go into Hydraulic Lockup via Hydraulic Failure During Ascent (First 5.6 minutes) 

Q = 3/2 (1-7)13(036/520)^ +3(l-[3) 2 (336/520) 2 tf m = 

3/2( 1 -0.27)0. 1 (336/520) 1 5E-04+3( 1 -0 1 ) : (336/520) 2 1 . 5E-04= IE-04 
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BAYESIAN UPDATE: Easy Template 
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Figure 9.4-1: APU Failures on Ascent Causing SSME Hydraulic Lockup (POF) 
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Event Sequence Diagram of a Large 
Gas/Hydrazine Leak 



X 





EVENT TREE OF A LARGE GAS/HYDRAZINE LEAK 







Event Sequence Diagram for 
APU/HYD Turbine Overspeed 
and/or Hub Failure 
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Event Sequence Diagram for OK Start 
Without a Hydrazine Leak During Ascent 
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EVENT TREE OF AN OK START WITHOUT A HYDRAZINE LEAK DURING ASCENT 
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Fault Tree For Sequence 3 PLSR2U 
State From OK Start Without A 
Hydrazine Leak During Ascent 




APU/HYD APU/HYD APU/HYD APU/HYD APU/HYD APU/HYD 

Unit 1 Unit 2 Unit 1 Unit 3 Unit 2 Unit 3 

Independent Independent Independent Independent Independent Independent 

Failure Failure Failure Failure Failure Failure 
















Fault Tree For Sequence 4 LOV 
State From OK Start Without A 













EVENT TREE OF APU/HYD HYDRAZINE LEAK STATE DURING ASCENT 
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Fault Tree for Sequence 1: MDFR State 
From a Hydrazine Leak State During Ascent 
one APU/HYD Unit has a Detected/Confirmed Leak 
and is Recoverable 












Fault Tree for Sequence z: PLSRU End State 
From a Hydrazine Leak During Ascent, 
one APU/HYD Unit has a Detected/Confirmed Leak 
and is Recoverable, one Other APU/HYD Unit Fails 










Fault Tree for Sequence L: PLSRU End State 
From a Hydrazine Leak During Ascent, 
one APU/HYD Unit has a Detected/Confirmed Leak 
and is Recoverable, one Other APU/HYD Unit Fails 

(Continued) 



Independent/ Leakage Independent/ Leakage 

Dependent Induced Dependent Induced 

Failure Failure Failure Failure 













Fault Tree for Sequence 3: PLSR2U End State 
From a Hydrazine Leak During Ascent, one APIJ/HYD 
Unit has a Detected/Confirmed Leak and is Recoverable, 
Both Other APU/HYD Units Fail 

















Fault Tree for Sequence 4: MDFU End State 
From a Hydrazine Leak During Ascent, one 
APIJ/HYD Unit has a Detected/Confirmed Leak 
and Subsequent Failure 



Dependent Induced 

Failure Failure 













Fault Tree for Sequence 5: PLS2U End State From 
a Hydrazine Leak During Ascent, one APU/HYD Unit 
has a Detected/Confirmed Leak and Subsequent Failure, 
one Other APU/HYD Unit Also Fails 
















Fault Tree for Sequence S: PlS 2U End State From 
a Hydrazine Leak During Ascent, one APU/HYD Unit 
has a Detected/Confirmed Leak and Subsequent Failure, 
one Other APU/HYD Unit Also Fails (Continued) 



Independent/ Leakage Independent/ Leakage 

Dependent Induced Dependent Induced 

Failure Failure Failure Failure 












Fault Tree for Sequence LOV End State From 
a Hydrazine Leak During Ascent, one APU/HYD Unit 
has a Detected/Confirmed Hydrazine Leak and all 
Three APU/HYD Units Have Failures 













Fault Tree for Sequence 7: ILO End State From Hydrazine 
Leak During Ascent, one APU/HYD Unit has an Undetected 
Leak and no APU/HYD Units Have Failures 












Fault Tree for Sequence a: MDFRU End State 
From a Hydrazine Leak During Ascent, 
one APU/HYD Unit has an Undetected Leak and is 
Recoverable, one Other APU/HYD Unit Fails 










Fault Tree for Sequence 6 : MDFRU End State 
From a Hydrazine Leak During Ascent, 
one APU/HYD Unit has an Undetected Leak and is 
Recoverable, one Other APU/HYD Unit Fails 













Fault Tree for Sequence 8: MDFRU End State 
From a Hydrazine Leak During Ascent, 
one APU/HYD Unit has an Undetected Leak and is 
Recoverable, one Other APU/HYD Unit Fails 
(Continued) 



Independent/ Leakage Independent/ Leakage 

Dependent Induced Dependent Induced 

Failure Failure Failure Failure 












Fault Tree for Sequence 9: PLSR2U End State 
From a Hydrazine Leak During Ascent, one APU/HYD 
Unit has an Undetected Leak and is Recoverable, Both Other 

APU/HYD Units Fail 



Dependent Induced Dependent Induced 

Failure Failure Failure Failure 














Fault Tree for Seqence 10: MDFU End State From 
a Hydrazine Leak During Ascent, one APU/HYD Unit has 
an Undetected Leak and Subsequent Failure, no Other 
APU/HYD Units Fail 



ndependent/ 1 ,eakage 

Dependent Induced 

Failure Failure 













Fault Tree for Sequence 11: PLS2U End State From 
a Hydrazine Leak During Ascent, one APU/HYD Unit has an 
Undetected Leak and Subsequent Failure, one Other APU/HYD 

Unit Also Fails 




Independent/ Leakage 

Dependent Induced 

Failure Failure 











Fault Tree for Sequence 11: PLS2U End State From 
a Hydrazine Leak During Ascent, one APU/HYD Unit has an 
Undetected Leak and Subsequent Failure, one Other APU/HYD 
Unit Also Fails (Continued) 



Independent/ Leakage Independent/ Leakage 

Dependent Induced Dependent Induced 

Failure Failure Failure Failure 












Fault Tree for Sequence Ia. ia)V End State From 
a Hydrazine Leak During Ascent, one APU/HYD Unit 
has an Undetected Leak and all Three APU/HYD Units Fail 



Failure Failure * Failure Failure ' Failure Failure 












Fault Tree for Sequence 13: PLS3R End State From 
a Hydrazine Leak During Ascent, all Three APU/HYD 
Units Have Detected/Confirmed Leaks and no Failures 















Fault Tree for Sequence 14: PLS2RU End State From a 
Hydrazine Leak During Ascent, all Three APU/HYD Units 
Have Detected/Confirmed Leaks and one APU/HYD Unit Fails 











Fault Tree for Sequence 14: PLS2RU End State From a 
Hydrazine Leak During Ascent, all Three APU/HYD Units 
Have Detected/Confirmed Leaks and one APU/HYD Unit Fails 

(Continued) 




Independent/ Own l eak Leakage From 

Dependent Induced Other Unit 

Failure Failure Indueed Failure 










Fault Tree for Sequence 15: PLSR2U End State From 
Hydrazined Leak During Ascent, all Three APU/HYD Units 
Have Detected/Confirmed Leaks, two APU/HYD Units Fail 











Fault Tree for Sequence Is; PLSR2U End State From 
Hydrazined Leak During Ascent, all Three APU/HYD Units 
Have Detected/Confirmed Leaks, two APU/HYD Units Fail 

(Continued) 











Fault Tree for Sequence 15: PLSR2U End State From 
Hydrazined Leak During Ascent, all Three APU/HYD Units 
Have Detected/Confirmed Leaks, two APU/HYD Units Fail 

(Continued) 










Fault Tree for Sequence 15: PLSR2U End State From 
Hydrazined Leak During Ascent, all Three APU/HYD Units 
Have Detected/Confirmed Leaks, two APU/HYD Units Fail 

(Continued) 










Fault Tree for Sequence 16: LOV End State From Hydrazine 
Leak During Ascent, all Three APU/HYD Units Have Detected/ 
Confirmed Leaks and all Three APU/HYD Units Fail 











Fault Tree for Sequence 16: LOV End State From Hydrazine 
Leak During Ascent, all Three APU/HYD Units Have Detected/ 
Confirmed Leaks and all Three APU/HYD Units Fail 

(Continued) 













Fault Tree for Sequence 17: ILT End State From a Hydrazine 
Leak During Ascent, all Three APU/HYD Units Have Undetected Leaks 

and no Failures 



APU/HYD APU/IIYD APU/HYD 

Unit 1 Unit 2 Unit 3 













Fault Tree for Sequence 18: MDF2RU End State From a 
Hydrazine Leak During Ascent, one APU/HYD Unit Fails 











Fault Tree for Sequence 18: MDF2RU End State 
From a Hydrazine Leak During Ascent, one 
APU/HYD Unit Fails (Continued) 














Fault Tree for Sequence 19: PLSR2U End State From a Hydrazine 
Leak During Ascent, all Three APU/HYD Units Have Undetected Leaks, 

two APU/HYD Units Fail 











Fault Tree for Sequence 19: PLSR2U End State From a Hydrazine 
Leak During Ascent, all Three APU/HYD Units Have Undetected Leaks, 
two APU/HYD Units Fail (Continued) 











Fault Tree for Sequence 19: PLSR2U End State From a Hydrazine 
Leak During Ascent, all Three APU/HYD Units Have Undetected Leaks, 
two APU/HYD Units Fail (Continued) 










Fault Tree for Sequence 19: PLSR2U End State From a Hydrazine 
Leak During Ascent, all Three APU/HYD Units Have Undetected Leaks, 
two APU/HYD Units Fail (Continued) 











Fault Tree for Sequence 20: LOV End State From a Hydrazine 
Leak During Ascent, all Three APU/HYD Units Fail 











Fault Tree for Sequence 20: LOV End State From a Hydrazine 
Leak During Ascent, all Three APU/HYD Units Fail 

(Continued) 










Event Sequence Diagram For 
An OK Initiating State During 
Reentry, TAEM and Landing 


















EVENT TREE OF OK STATE DURING REENTRY. TAEM AND LANDING 
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Fault Tree for Sequence 4 LOV: Two APU/HYD 
Units Fail Without Hydrazine Leaks and Single 
APU/HYD Unit Reentry, TAEM and Landing is Unsuccessful 



Independent Common Independent Common Independent Common Independent Common 

Failure To Cause Failure Failure To Cause Failure Failure To Cause Failure Failure To Cause Failure 

Stall Or Run To Start Or Run Stall Or Run To Start Or Run Stall Or Run To Start Or Run Start Or Run To Start Or Run 
























Fault Tree for Sequence 4 L.OV: Two APU/HYD 
Units Fail Without Hydrazine Leaks and Single 
APU/HYD Unit Reentry, TAEM and Landing is Unsuccessful 

(Continued) 










Fault Tree for Sequence 5 LOV: All Three 
APU/HYD Units Fail Without Hydrazine 
Leaks During Reentry, TAEM and Landing 




















Fault Tree for Sequence 9 LOV: One APU/HYD 
Unit Leaks and is Shutdown, One Other Unit Fails, 
Restart of Shutdown APU/HYD Unit is Unsuccessful, and 
Single APU/HYD Unit Reenty, TAEM and Landing 
is Unsuccessful 



Independent Common Cause Leakage Induced Independent Common Cause Leakage Induced 

Failure To Failure To Failure To Failure To Failure To Failure To 

Stall Or Run Stall Or Run Stall Or Run Stall Or Run Stall Or Run Stall Or Run 



















Fault Tree for Sequence 11 LOV: One APU/HYD 
Unit Leaks and is Shutdown, Remaining Units 
Both Fail, Restart of Shutdown APU/HYD Unit 
is Successful, but Single Unit Reentry, TAEM and 
Landing is Unsuccessful 



Independent Common Cause Leakage Induced 

Failure To Failure To Failure Stall 

Stall Or Run Start Or Run Or Run 
















Fault Tree for Sequence 12 LOV: One APU/HYD 
Unit Leaks and is Shutdown, Both Remaining 
APU/HYDs Have Failures, and Restart of APU/HYD 
Unit 1 is Unsuccessful 



Independent Common Cause Leakage Induced 

Failure To Failure To Failure Stan 

Stall Or Run Stall Or Run Or Run 

























Sequence 16 LOV: One APU/HYD Unit 
Leaks Undetected, Two APU/HYD 
Units Fail and Single APU/HYD Unit 
Reentry, TAEM and Landing is Unsuccessful 



Independent Common Cause Leakage Induced Independent. Common Cause Leakage Induced 

Failure To Failure To Failure To Failure To Failure To Failure To 

Start Or Run Start Or Run Start Or Run Start Or Run Stmt Or Run Start Or Run 






















Sequence 16 LOV: one APU/HYD Unit 
Leaks Undetected, Two APU/HYD 
Units Fail and Single APU/HYD Unit 
Reentry, TAEM and Landing is Unsuccessful 
(Continued) 



Independent Common Cause Leakage Induced Independent Common Cause Leakage Induced 

Failure To Failure To Failure To Failure To Failure To Failure To 

Slail Or Run Start Or Run Start Or Run Start Or Run Start Or Run Start Or Run 























Sequence 17 LOV: une APU/HYD 
Unit Leaks Undetected and 
all Three APU/HYD Units Fail 



Independent Common Cause Leakage Induced 

Failure To Failure To Failure To 

Start Or Run Stall Or Run Start Or Run 




















Fault Tree for Sequence 21 LOV: All Three 
APU/HYD Units Leak, APU/HYD Unit 1 is Shutdown, One 
Other Unit Fails, Restart of Shutdown Unit is Unsuccessful 
and Single APU/HYD Unit Loading is Unsuccessful 



















Fault Tree for Sequence ** LOV: All Three 
APU/HYD Units Leak, APU/HYD Unit 1 is Shutdown, One 
Other Unit Fails, Restart of Shutdown Unit is Unsuccessful 
and Single APU/HYD Unit Loading is Unsuccessful 

(Continued) 























Fault Tree for Sequence 2i LOV: All Three 
APU/HYD Units Leak, APU/HYD Unit 1 is Shutdown, One 
Other Unit Fails, Restart of Shutdown Unit is Unsuccessful 
and Single APU/HYD Unit Loading is Unsuccessful 

(Continued) 






















Fault Tree for Sequence 23 LOV: AH Three 
APU/HYD Units Leak, APU/HYD Unit 1 is Shutdown, Both 
Remaining APU/HYD Units Fail, the Shutdown 
Unit is Restarted, but the Single APU/HYD Unit 
Reentry, TAEM and Landing is Unsuccessful 



Leak Successful Leak Leak 
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Fault Tree for Sequence 24 LOV: All Three 
APU/HYD Units Leak, APU/HYD Unit 1 is Shutdown, 
Both Remaining APU/HYD Units Fail and Restart of 
Shutdown APU/HYD Unit is Unsuccessful 
















Fault Tree for Sequence 14 LOV: All Three 
APU/HYD Units Leak, APU/HYD Unit 1 is Shutdown, Both 
Remaining APU/HYD Units Fail and Restart of 
Shutdown APU/HYD Unit is Unsuccessful 
(Continued) 









Fault Tree for Sequence 28 LOV: All Three 
APU/HYD Units Leak Undetected, 

Two APU/HYD Units Fail, Single APU/HYD 
Unit Landing Unsuccessful 




















Fault Tree for Sequence 28 LOV: All Three 
APU/HYD Units Leak Undetected, 

Two APU/HYD Units Fail, Single APU/HYD 
Unit Landing Unsuccessful (Continued) 



Indcpedcnt Common Cause Own Leak Leakage From Indepedent Common Cause Own Leak Leakage From 

Failure To Failure To Induced Failure Other Unit Failure To Failure To Induced Failure Other Unit 

Start Or Run Start Or Run To Stall Or Run Induced Failure Stall Or Run Start Or Run To Start Or Run Induced Failure 
















Fault Tree for Sequence 28 LOV: All Three 
APU/HYD Units Leak Undetected, 

Two APU/HYD Units Fail, Single APU/HYD 
Unit Landing Unsuccessful (Continued) 



Indepedent Common Cause Own Leak Leakage From 

Failure To Failure To Induced Failure Other Unit 

Start Or Run Start Or Run To Start Or Run Induced Failure 

















Fault Tree for Sequence 28 LOV: All Three 
APU/HYD Units Leak Undetected, 

Two APU/HYD Units Fail, Single APU/HYD 
Unit Landing Unsuccessful (Continued) 



Indepedent Common Cause Own Leak Leakage From 

Failure To Failure To Induced Failure Other Unit 

Start Or Run Start Or Run To Start Or Run Induced Failure 






















Fault Tree for Sequence 29 LOV: All Three 
APU/HYD Units Leak Undetected and all Three 
APU/HYD Units Fail 

















Fault Tree for Sequence 29 LOV: All Three 
APU/HYD Units Leak Undetected and all Three 
APU/HYD Units Fail (Continued) 























Event Sequence Diagram 
for a PLSRU State During 
Reentry, TAEM and Landing 






EVENT TREE OF A PLSRU INITIATING EVENT DURING REENTRY, TAEM AND LANDING 
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Fault Tree For Sequence 3 LOV 
State With PLSRU Initiating Event 
During Reentry, TAEM and Landing 



Independent/ Leakage 

Dependent Failure Induced Failure 

to Start or Run to Start or Run 








Fault Tree For Sequence 5 LOV 
State With PLSRU Initiating Event 
During Reentry, TAEM and Landing 



Independent/ Leakage 

ependent Failure Induced Failure 

to Start or Run to Start or Run 







Fault Tree For Sequence 6 LOV 
State With PLSRU Initiating Event 



Independent Common Leakage Independent Common Leakage 

Failure to Cause Failure Induced Failure Failure to Cause Failure Induced Failure 

Start or Run to Start or Run to Start or Run Start or Run to Start or Run to Start or Run 












Event Sequence Diagram of APU/HYD 
Hydrazine Leaks During Ascent 














Event Sequence Diagram of APU/HYD 
Hydrazine Leaks During Ascent (Continued) 












Event Sequence Diagram for 
a PLSR2U State During Reentry, 
TAEM and Landing 
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EVENT TREE OF A PLSR2U INITIATING EVENT DURING REENTRY, TAEM AND LANDING 
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Event Sequence Diagram of a PLS3R 
State During Reentry, TAEM and Landing 
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EVENT TREE OF A PLS3R INITIATING EVENT DURING REENTRY, TAEM AND LANDING 
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Fault Tree For Sequence 4 LOV 
State With A PLS3R Initiating Event 
During Reentry, TAEM and Landing 

















Fault Tree For Sequence 6 LOV 
State With A PLS3R Initiating Event 
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Fault Tree For Sequence 7 LOV 
State With A PLS3R Initiating Event 
During Reentry, TAEM and Landing 









Event Sequence Diagram for an External 
Hydrazine or Hydraulic Fluid Leak 








EVENT TREE OF AN EXTERNAL HYDRAZINE OR HYDRAULIC FLUID LEAK 
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B.4. Electrical Power System 
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2. No or in- 2.1. 2 of 3 inverter sets fail suddenly 2.1.1. Undetected pre-flight IE-06 2.1.1. [1e-2 for processing error]*[1e-4 for failure to $ 

sufficient ac (complete outage or unacceptable processing error. detect before launch] = 1e-6/mission. - 1 

power to crft- voltage, frequency, or waveform), | 

ical systems. 
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Halon or its decomposition products concentration]*! 1e-2 for failure to don breathing 

damages critical components or disables apparatus in time] = 1e- 12/mission 

equipment cooling. 
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